EU Working Party releases cloud computing recommendations
Group identifies privacy and security risks
September 23, 2012 at 08:00 PM
23 minute read
On July 1, an influential European body released an opinion that offers guidance to companies trying to comply with European Union (EU) personal data-protection requirements in the context of cloud computing—the “global technological paradigm,” as the opinion calls it, that companies are turning to in an attempt to manage their data efficiently and affordably. In its opinion, the Article 29 Working Party (WP 29) identifies some of the key privacy and security risks related to storing and processing personal data in the cloud. Notably, it also recognizes the economic benefits of the cloud. The opinion also notes that cloud computing can offer security benefits: It allows small- to medium-size companies to acquire sophisticated data-security technologies that otherwise would be budgetary impossibilities.
The WP 29, mandated under Article 29 of the EU's Data Protection Directive, consists of privacy experts and information commissioners from each EU member state who meet to discuss and publish opinions that aid in harmonizing the different states' approaches to applying the directive. Although their opinion is not EU law, it has quite a bit of authority.
“In some corners of Europe, there's been a bit of reluctance among EU regulators to accept cloud computing as an appropriate means of handling personal data,” says Alan Raul, global coordinator of Sidley Austin's privacy, data security and information law practice. “[This opinion] will have influence because it does reflect an acceptance of cloud computing under the specified circumstances, which is a step forward.”
It also reflects some measure of accord with the way U.S. regulators have begun to address the protection of personal data sent to or processed in the cloud. For instance, the U.S. Federal Financial Institutions Examination Council on
July 10 issued its own cloud-computing guidance for financial institutions. Like the WP 29, the guidance took the approach of making the client responsible for conducting due diligence on cloud providers to ensure information security.
“Both the regulators in the U.S. and the EU Data Protection Authorities are converging on a consensus that cloud computing is essentially efficient and therefore desirable and, subject to certain appropriate safeguards, is a perfectly acceptable approach to handling computer storage and processing,” Raul says.
Giving Guidance
A key conclusion of the WP 29 opinion is that entities considering storing or processing their data with a cloud provider should conduct a thorough risk analysis (see “Risk Assessment”). The WP 29 opinion identifies two broad categories of data-protection risk related to cloud computing: lack of control over personal data and lack of transparency about a cloud's processing operations. It goes on to outline guidelines for clients and providers of cloud-computing services.
“It's impossible to get advice from all these different member states. This is the best advice from a government authority that lawyers, data-protection specialists and chief information officers can look at to make good choices [regarding] data protection if they have data being created or received in Europe,” says David Kessler, a partner at Fulbright & Jaworski and a member of its cloud task force.
Entities considering cloud computing need to choose their cloud providers carefully, the report says, and it's the clients' responsibility to ensure their providers and any commissioned subcontractors can guarantee data security and compliance with the fundamental EU data-protection principles of transparency, purpose specification/limitation and appropriate data-retention policies and procedures.
The WP 29 provides a 14-point checklist of issues companies should include in client-provider contracts, such as specifications on how data is handled and secured, and on the client's rights to monitor and be informed of data processing, usage and access. Some of the recommendations may depart from most cloud providers' standard practices, such as imposing on providers the obligation to provide “a list of locations in which the data may be processed.” But in light of the WP 29 document, says Mark Prinsley, head of Mayer Brown's intellectual property & IT group in London, it likely will be easier for businesses to negotiate contracts.
“This opinion will help the small- to medium-size business that might not have as much commercial clout in its negotiations with major suppliers to make sure they get contracts that protect the personal data being processed on their behalf,” Prinsley says.
Risk Assessment
A main conclusion of the Article 29 Working Party (WP 29) report is that companies considering cloud usage should first conduct a “comprehensive and thorough” analysis of risk related to cloud usage. The recommendations the WP provides are a helpful guide to making that assessment.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
'The Show Must Go On': Solo-GC-of-Year Kevin Colby Pulls Off Perpetual Juggling Act
How Amy Harris Leverages Diversity to Give UMB Financial a Competitive Edge
5 minute read
How Marsh McLennan's Small But Mighty Legal Innovation Team Builds Solutions That Bring Joy
Immigration Under the Trump Administration: Five Things to Expect in the First 90 Days
8 minute readTrending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
